General Data Protection Regulation: After many years of debate, the European General Data Protection Regulation (GDPR) has finally been agreed and passed, and the date has been set for its implementation: 25 May 2018.
While the impact of Brexit is currently uncertain, it is highly likely that the UK will continue to implement the GDPR in the short term and would need to maintain a law similar to the GDPR in the longer term. For more information on the GDPR and how to comply, please see our publications here and here.
International data transfers: On 12 July 2016, the European Commission finally approved the much-debated EU-US Privacy Shield, which provides a compliance framework for US entities to safeguard personal data of EU citizens. Companies looking to self-certify should carefully review the obligations under the Privacy Shield and the consequences that a certification will have on their business. The Privacy Shield now contains stronger rules on data retention, onward transfers and additional safeguards related to the access to personal data by US law enforcement agencies. For more information, please see our note here. Meanwhile, the Irish Data Protection Commissioner is intending to seek declaratory relief in the Irish High Court and a referral to the Court of Justice of the European Union to determine the legal status of data transfers on the basis of the EU Model Clauses. The case will be heard in the Irish High Court in February 2017.
e-Privacy Directive: The e-Privacy Directive (which is implemented in the UK by the Privacy and Electronic Communications Regulations 2003 (PECR)) is intended to complement the existing EU Data Protection Directive, by setting out specific rules for the processing of personal data and the protection of privacy in the electronic communications sector. The e-Privacy Directive has been in need of review for some time, and the review has been accelerated by the adoption of the GDPR.
In July 2016, both the Article 29 Working Party and the European Data Protection Supervisor issued their respective opinions on the evaluation and review of the e-Privacy Directive.
In August 2016, the European Commission published a summary report on the contributions made to the consultation, and the trends emerging from them.
The Commission is now carrying out an in-depth analysis of the responses, and a full synopsis report is expected to be published in autumn 2016.
Digital Economy Bill: The Digital Economy Bill, which was outlined in the May 2016 Queen’s speech, is intended to ensure that the UK remains at the forefront of the twenty-first century economy. The Bill was introduced to Parliament on 5 July 2016 and is anticipated to gain Royal Assent in spring 2017.
The Bill is split into several parts, covering: the legal right to a fast broadband connection; consistent enforcement of intellectual property rights online and offline; and better sharing of publicly held data to improve public services and produce world-leading research and statistics. Amongst the proposals is a commitment to protect consumers from spam e-mail and nuisance calls. The suggestion is that opt-in consent should be obtained for direct marketing to individuals, irrespective of the channel used; and that guidance from the Information Commissioner’s Office (the ICO) could be put on a statutory footing, meaning that it could be considered by the courts.
Investigatory Powers Bill: The draft Investigatory Powers Bill has continued its progression through Parliament. The Bill is attracting public controversy and a number of substantive amendments have been suggested during its parliamentary passage.
Meanwhile, on 19 August 2016, David Anderson QC, the independent reviewer of terrorism legislation, published his Bulk Powers Review – a review into the operational case for the four bulk collection powers set out in the Investigatory Powers Bill.
The text of the Bill was agreed on 16 November 2016. We expect the Bill to become law within weeks.
In Focus: Enforcement
The ICO is an independent regulatory office responsible for, amongst other things, the enforcement of the Data Protection Act 1998 (DPA) and for the Freedom of Information Act 2000. The ICO has a number of tools available to ensure that the behaviour of companies and individuals is in line with the relevant legislation. These include criminal prosecution, noncriminal enforcement and audit.
Currently, the ICO may issue monetary penalty notices requiring companies to pay up to £500,000 for serious breaches of the DPA occurring on or after 6 April 2010. However, from 25 May 2018 when the GDPR comes into force, fines for data controllers could reach up to €20m or 4% of global annual turnover, whilst data processors could be fined up to €10m or 2% of global annual turnover.
The ICO’s 2015/2016 annual report (available here) neatly summarises the ICO’s aims over the last year, as well as demonstrating trends in enforcement over that period.
In the last year, monetary penalty notices have been issued for:
- failing to register data processing activities with the ICO;
- failing to properly respond to subject access requests;
- direct marketing in breach of the rules in the PECR; and
- failing to take appropriate technical and organisational measures to keep personal data secure.
So, what about next year?
On 18 July 2016, Elizabeth Denham replaced Christopher Graham as the UK’s Information Commissioner. In Ms Denham’s inaugural speech as Information Commissioner on 29 September 2016 (transcript available here), she made it very clear where her priorities lie. One of her main goals, she says, is to stay relevant. She proudly recalls work in Canada which made a difference to the public; where investigations “pulled back the curtain” on new technologies to help the public better understand the technologies themselves and their impact on personal privacy.
Ms Denham’s fundamental objective over the next five years is to build a culture of data confidence in the UK. How? By focusing the ICO’s advisory, education, investigatory and enforcement work on:
- consumer control;
- transparency; and
Since that inaugural speech, the ICO’s Head of Policy Delivery has re-iterated the vital importance of transparency.
In the past, some have criticised the ICO for an apparent lack of willingness to engage and investigate new technologies which have a potentially significant impact on privacy. That looks set to change under Elizabeth Denham; alongside her new chief technology advisor, and a boost in numbers for the ICO’s technology team.
The GDPR represents a shift in mindset for many organisations; privacy compliance can no longer be seen as a ‘tick box exercise’, and is required to be at the forefront of a business’ operations. The ICO – led by Elizabeth Denham – is very clearly, right behind it!
Dates for the diary
The European Commission is expected to publish its full report on the review and evaluation of the e-Privacy Directive.
Before end of 2016
Royal Assent of Investigatory Powers Bill expected.
7 February 2017
The Irish High Court will hear the Irish Data Protection Commissioner’s case over the legality of the EU Model Clauses.
Royal Assent of the Digital Economy Bill is anticipated.
25 May 2018
The GDPR will become directly applicable across all EU Member States.
For more information and details of all of the other areas covered by the Regulatory Outlook click here.